Hi Kathleen, Re 1:
As a subscriber, I would prefer not to be required to provide an email to get a certificate. As such, would it be acceptable to allow polling an endpoint to get the revocation status? I already monitor OCSP for my domains, so I am already notified of revocations without the need for an inbox. Thanks, Sam Harrington On Wednesday, December 29, 2021 at 2:11:41 PM UTC-8 [email protected] wrote: > Thank you to those of you who have provided more feedback. I have updated > the draft policy text here: > > > https://docs.google.com/document/d/1ESakR4MiwyENyuLefyH2wG8rYbtnmG1xeSYvDNpS-EI/edit?usp=sharing > > I highlighted the changes in the document, and below is a summary of the > changes. > > 1) The first sentence of the second paragraph has been changed to make my > intent more clear, and I added a comment that we will need to determine an > effective-date because this means code changes (e.g. ACME). > > "When a certificate revocation is not initiated by the certificate > subscriber, the CA MUST notify the certificate subscriber about its intent > to revoke the end-entity SSL certificate at least 24 hours before revoking > the certificate." > > I am open for feedback on wording and the time frame (e.g. 24 hours), and > I will also appreciate thoughts about the effective-date for this new > policy. I intend to require that CAs notify certificate subscribers before > revoking their certificates, because when certificate revocation is > enforced by the browser the CA can essentially cause DOS for websites. > > 2) Per the feedback from Wendy (here > <https://groups.google.com/a/mozilla.org/g/dev-security-policy/c/Cls1b2iuOLU/m/-wAFl43kCwAJ>) > > I replaced "affiliationChanged (3)" with "cessationOfOperation (5)" in > the proposed text, because despite the previously referenced document > <https://docs.microsoft.com/en-us/previous-versions/tn-archive/cc700843(v=technet.10)> > > about revocation reasons, I agree with Wendy that cessationOfOperation > makes more sense in regards to a TLS certificate no longer being needed > because the website it was used in has been taken down or the certificate > subscriber no longer owns the domain name(s) in the certificate. Whereas > affiliationChanged seems to be about how a person is associated with an > organization. > > So the "affiliationChanged (3)" paragraph has been replaced by the > following. > > "cessationOfOperation (5) > > The CRLReason cessationOfOperation (5) MUST be used when the subscriber > has requested that their certificate be revoked for this reason, or the CA > has received verifiable evidence that the subscriber no longer owns the > domain names in the certificate and there is no evidence of a private key > compromise. Otherwise this CRLReason MUST NOT be used. The CRLReason > cessationOfOperation (5) is intended to be used to indicate that the > subscriber no longer owns the domain names in the certificate or will no > longer be using the certificate. For example, this revocation reason should > be used if the website with the certificate is shut down prior to the > expiration of the certificate." > > I will continue to appreciate your input on this draft proposal. > > Thanks, > Kathleen > > > -- You received this message because you are subscribed to the Google Groups "[email protected]" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/dev-security-policy/0fffa219-5b48-4d6c-8f59-000feeb0e0can%40mozilla.org.
